Replace Math.random() with crypto function

[swetha8612]

There is a Math.random() in dist/d3.js file.
Please update it with crypto function like window.crypto.getRandomValues(new Uint32Array(10))[0]
The fortify scan is raising it as a security vulnerability during the scan.

[swetha8612]

is there a new version for this change?

[mbostock]

No, I’m declining your request as it is nonsensical.

[swetha8612]

We are using d3 package in some of our projects and when we ran fortify scans it has been flagged as high vulnerability. It is asking to replace Math.random() to crypto function. There are other packages which have this same issue. I am trying to contact them as well. Thank you.

[jayDayZee]

My friend, the random numbers generated within D3 do not have a security implication. What you should be doing is informing your "foritfy" widget that d3 is not part of your security / privacy landscape, not asking a graphics / data analytics tooling to present cryptographic random numbers. Christopher Reay (they / them) Be prepared to have your predictions come true

…

On Thu, 14 Dec 2023 at 17:00, swetha8612 ***@***.***> wrote: We are using d3 package in some of our projects and when we ran fortify scans it has been flagged as high vulnerability. It is asking to replace Math.random() to crypto function. There are other packages which have this same issue. I am trying to contact them as well. Thank you. — Reply to this email directly, view it on GitHub <#3807 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGIAA37JYB46QSEMDMAGSNDYJMWCHAVCNFSM6AAAAABAVACO3KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJWGIYDMNZVGU> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>